REMARKS 



Claims 1-2, 18-21 have been amended to clarify the subject matter regarded as the 
invention. New claim 22 has been added. Claims 1-22 are pending. 

Claims 1-2, 10-21 stand rejected under 35 U.S.C. 103(a) over I'Anson et al. and in view 
of Shanklin et al. Claims 3-4 stand rejected under 35 U.S.C. 103(a) over I'Anson and Shanklin, 
further in view of Wijendran. Claim 5 stands rejected under 35 U.S.C. 103(a) over I'Anson and 
Shanklin, further in view of Mangione-Smith. Claims 6-9 stand rejected under 35 U.S.C. 103(a) 
over I'Anson and Shanklin, further in view of Blam. 

The rejection is respectfully traversed. With respect to claim 1, I'Anson teaches 
comparing an observed sequence of received packets to a stored valid sequence to detect a 
deviation from valid protocol behavior (V Anson 4: 1 1-26). Shanklin teaches using regular 
expressions to identify malicious packets. Neither I'anson nor Shanklin teaches or suggests 
"determining that a connection under the network protocol is in the first state" and "using the 
regular expression to analyze the network protocol stream by applying, based at least in part on 
the determination that the connection under the network protocol is in the first state, the regular 
expression to a received packet associated with the connection to determine whether the packet is 
associated with the at least one valid transition" as recited in claim 1. As such, claim 1 is 
believed to be allowable. 

Claims 2-17 and 22 depend from claim 1 and are believed to be allowable for the same 
reasons described above. 

Similarly to claim 1, claim 18 recites "determining that a connection under the network 
protocol is in the first state" and "using the first regular expression and the second regular 
expression to analyze the network protocol stream, the analysis comprising applying, based at 
least in part on the determination that the connection under the protocol is in the first state, the 
first regular expression and the second regular expression to a received packet associated with 
the connection and providing an indication in the event the at least one invalid operation is 
detected". As such, claim 18 is believed to be allowable for the same reasons described above. 
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Like claim 1, claim 19 recites a computer configured to "determine that a connection 
under the network protocol is in a first state of the at least two states" and "analyze the network 
protocol stream by processing applying, based at least in part on the determination that the 
connection under the network protocol is in the first state, to a received packet associated with 
the connection a regular expression, the regular expression corresponding to a valid transition 
from the first state of the at least two states to a second state of the at least two states". As such, 
claim 19 is believed to be allowable for the same reasons described above. 

Like claim 1, claim 20 recites "determine that a connection under the network protocol is 
in a first state of the at least two states" and "applying , based at least in part on the 
determination that the connection under the network protocol is in the first state, to a received 
packet associated with the connection a regular expression, the regular expression corresponding 
to a valid transition from the first state of the at least two states to a second state of the at least 
two states". As such, claim 20 is believed to be allowable for the same reasons described above. 

Like claim 1, claim 21 recites "determining that a connection under the network protocol 
is in the first state" and "using the regular expression to analyze the network protocol stream by 
applying, based at least in part on the determination that the connection under the network 
protocol is in the first state, the regular expression to a received packet associated with the 
connection to determine whether the packet is associated with the at least one valid transition". 
As such, claim 21 is believed to be allowable for the same reasons described above. 

Further, neither I'anson nor Shanklin teaches or suggests applying a regular expression to 
"content data included in a payload portion of the received packet", in addition to the elements 
recited in claim 1, as recited in claim 22. Support for the new claim may be found, for example, 
at 14:18-15:7 and Figure 7. Claim 22 is believed to be allowable for this additional reason. 
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Reconsideration of the application and allowance of all claims are respectfully requested 
based on the preceding remarks. If at any time the Examiner believes that an interview would be 
helpful, please contact the undersigned. 

Respectfully submitted, 

William J. James 
Registration No. 40,661 
V 408-973-2592 
F 408-973-2595 



VAN PELT, YI & JAMES LLP 
10050 N. Foothill Blvd., Suite 200 
Cupertino, CA 95014 



Dated: $ ftf /OS 
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AMENDMENTS TO THE DRAWINGS: 

The attached sheets of drawings replace the original sheets. 
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INTERVIEW SUMMARY UNDER 37 CFR §1.133 AND MPEP §713.04 

A telephonic interview in the above-referenced case was conducted on May 23, 2005 
between the Examiner and the Applicants' undersigned representative. The Final Office Action 
mailed on March 28, 2005 was discussed. Specifically, the rejections of claims 1 and 12 and the 
proposed amendments set forth herein were discussed with the intent to place the claims in better 
condition for allowance or appeal. The Applicants wish to thank the Examiner for his time and 
attention in this case. 
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